From: Baptiste Jonglez <g...@bitsofnetworks.org>
Currently, package index signatures are only checked when opkg runs on the
OpenWrt device. The verification script is hard-coded to a path in
/usr/sbin/.
Making this path configurable is a first step to implement signature
verification in host builds of opkg (e.g. in the imagebuilder).
Signed-off-by: Baptiste Jonglez <g...@bitsofnetworks.org>
---
libopkg/opkg_conf.c | 4 ++++
libopkg/opkg_conf.h | 3 +++
libopkg/opkg_download.c | 2 +-
src/opkg-cl.c | 8 ++++++++
4 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index 08855eb..38703ee 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -72,6 +72,7 @@ opkg_option_t options[] = {
{"size", OPKG_OPT_TYPE_BOOL, &_conf.size},
{"tmp_dir", OPKG_OPT_TYPE_STRING, &_conf.tmp_dir},
{"verbosity", OPKG_OPT_TYPE_INT, &_conf.verbosity},
+ {"verify_program", OPKG_OPT_TYPE_STRING, &_conf.verify_program},
{NULL, 0, NULL}
};
@@ -572,6 +573,9 @@ int opkg_conf_load(void)
if (conf->lists_dir == NULL)
conf->lists_dir = xstrdup(OPKG_CONF_LISTS_DIR);
+ if (conf->verify_program == NULL)
+ conf->verify_program =
xstrdup(OPKG_CONF_DEFAULT_VERIFY_PROGRAM);
+
if (conf->offline_root) {
sprintf_alloc(&tmp, "%s/%s", conf->offline_root,
conf->lists_dir);
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index 37f95a1..91190b3 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -35,6 +35,8 @@ extern opkg_conf_t *conf;
#define OPKG_CONF_DEFAULT_CONF_FILE_DIR OPKGETCDIR"/opkg"
+#define OPKG_CONF_DEFAULT_VERIFY_PROGRAM "/usr/sbin/opkg-key"
+
/* In case the config file defines no dest */
#define OPKG_CONF_DEFAULT_DEST_NAME "root"
#define OPKG_CONF_DEFAULT_DEST_ROOT_DIR "/"
@@ -85,6 +87,7 @@ struct opkg_conf {
char *overlay_root;
int query_all;
int verbosity;
+ char *verify_program;
int noaction;
int size;
int download_only;
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index e970506..7bbf34b 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -298,7 +298,7 @@ int opkg_prepare_url_for_install(const char *url, char
**namep)
int opkg_verify_file(char *text_file, char *sig_file)
{
#if defined HAVE_USIGN
- const char *argv[] = { "/usr/sbin/opkg-key", "verify", sig_file,
+ const char *argv[] = { conf->verify_program, "verify", sig_file,
text_file, NULL };
return xsystem(argv) ? -1 : 0;
diff --git a/src/opkg-cl.c b/src/opkg-cl.c
index 40a7502..01c6e94 100644
--- a/src/opkg-cl.c
+++ b/src/opkg-cl.c
@@ -53,6 +53,7 @@ enum {
ARGS_OPT_CACHE,
ARGS_OPT_FORCE_SIGNATURE,
ARGS_OPT_NO_CHECK_CERTIFICATE,
+ ARGS_OPT_VERIFY_PROGRAM,
ARGS_OPT_SIZE,
};
@@ -109,6 +110,8 @@ static struct option long_options[] = {
{"lists-dir", 1, 0, 'l'},
{"lists_dir", 1, 0, 'l'},
{"verbosity", 2, 0, 'V'},
+ {"verify-program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
+ {"verify_program", 1, 0, ARGS_OPT_VERIFY_PROGRAM},
{"version", 0, 0, 'v'},
{0, 0, 0, 0}
};
@@ -232,6 +235,9 @@ static int args_parse(int argc, char *argv[])
case ARGS_OPT_NO_CHECK_CERTIFICATE:
conf->no_check_certificate = 1;
break;
+ case ARGS_OPT_VERIFY_PROGRAM:
+ conf->verify_program = xstrdup(optarg);
+ break;
case ':':
parse_err = -1;
break;
@@ -322,6 +328,8 @@ static void usage()
printf(" directory name in a pinch).\n");
printf("\t-o <dir> Use <dir> as the root directory for\n");
printf("\t--offline-root <dir> offline installation of packages.\n");
+ printf
+ ("\t--verify-program <path> Use the given program to verify usign
signatures\n");
printf
("\t--add-arch <arch>:<prio> Register architecture with
given priority\n");
printf
--
2.27.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
